[PATCH v2] staging: rtl8723bs: fix heap buffer overflow in cfg80211_rtw_add

public inbox for linux-staging@lists.linux.dev
 help / color / mirror / Atom feed

* [PATCH v2] staging: rtl8723bs: fix heap buffer overflow in cfg80211_rtw_add_key
@ 2026-04-07 10:21 Feng Ning
  2026-04-07 10:39 ` Greg KH
  0 siblings, 1 reply; 2+ messages in thread
From: Feng Ning @ 2026-04-07 10:21 UTC (permalink / raw)
  To: gregkh; +Cc: linux-staging, linux-kernel


[-- Attachment #1.1: Type: text/plain, Size: 1405 bytes --]

The cfg80211 framework allows key sequence counters (NL80211_KEY_SEQ)
up to 16 bytes, but ieee_param.crypt.seq is a fixed 8-byte buffer.
When cfg80211_rtw_add_key() copies the sequence counter via memcpy()
without checking seq_len, a heap buffer overflow of up to 8 bytes
occurs, overwriting adjacent fields key_len and key[].

Cap the copy length at the buffer size using min_t().

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Signed-off-by: Feng Ning <feng@innora.ai>
---
 drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
index 7cb0c6f22..4fba53c2d 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
@@ -883,8 +883,11 @@ static int cfg80211_rtw_add_key(struct wiphy *wiphy, struct net_device *ndev,
 
 	param->u.c
rypt.idx = key_index;
 
-	if (params->seq_len && params->seq)
-		memcpy(param->u.crypt.seq, (u8 *)params->seq, params->seq_len);
+	if (params->seq_len && params->seq) {
+		size_t seq_copy = min_t(size_t, params->seq_len,
+				       sizeof(param->u.crypt.seq));
+		memcpy(param->u.crypt.seq, (u8 *)params->seq, seq_copy);
+	}
 
 	if (params->key_len && params->key) {
 		param->u.crypt.key_len = params->key_len;
-- 
2.43.0

[-- Attachment #1.2: publickey - Jiqiang Feng - 0x7D1A285E.asc --]
[-- Type: application/pgp-keys, Size: 693 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 322 bytes --]

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH v2] staging: rtl8723bs: fix heap buffer overflow in cfg80211_rtw_add_key
  2026-04-07 10:21 [PATCH v2] staging: rtl8723bs: fix heap buffer overflow in cfg80211_rtw_add_key Feng Ning
@ 2026-04-07 10:39 ` Greg KH
  0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2026-04-07 10:39 UTC (permalink / raw)
  To: Feng Ning; +Cc: linux-staging, linux-kernel

On Tue, Apr 07, 2026 at 10:21:18AM +0000, Feng Ning wrote:
> The cfg80211 framework allows key sequence counters (NL80211_KEY_SEQ)
> up to 16 bytes, but ieee_param.crypt.seq is a fixed 8-byte buffer.
> When cfg80211_rtw_add_key() copies the sequence counter via memcpy()
> without checking seq_len, a heap buffer overflow of up to 8 bytes
> occurs, overwriting adjacent fields key_len and key[].
> 
> Cap the copy length at the buffer size using min_t().
> 
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Signed-off-by: Feng Ning <feng@innora.ai>
> ---
>  drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
> index 7cb0c6f22..4fba53c2d 100644
> --- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
> +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
> @@ -883,8 +883,11 @@ static int cfg80211_rtw_add_key(struct wiphy *wiphy, struct net_device *ndev,
>  
>  	param->u.c
> rypt.idx = key_index;
>  
> -	if (params->seq_len && params->seq)
> -		memcpy(param->u.crypt.seq, (u8 *)params->seq, params->seq_len);
> +	if (params->seq_len && params->seq) {
> +		size_t seq_copy = min_t(size_t, params->seq_len,
> +				       sizeof(param->u.crypt.seq));
> +		memcpy(param->u.crypt.seq, (u8 *)params->seq, seq_copy);
> +	}
>  
>  	if (params->key_len && params->key) {
>  		param->u.crypt.key_len = params->key_len;
> -- 
> 2.43.0




Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- This looks like a new version of a previously submitted patch, but you
  did not list below the --- line any changes from the previous version.
  Please read the section entitled "The canonical patch format" in the
  kernel file, Documentation/process/submitting-patches.rst for what
  needs to be done here to properly describe this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-07 10:39 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-07 10:21 [PATCH v2] staging: rtl8723bs: fix heap buffer overflow in cfg80211_rtw_add_key Feng Ning
2026-04-07 10:39 ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox